<br><br>On Monday, January 19, 2015, Fredrik Thulin <<a href="mailto:fredrik@thulin.net">fredrik@thulin.net</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Monday, January 19, 2015 08:55:55 AM Jakob Schlyter wrote:<br>
...<br>
> Are there any good examples on attacks on a USB host from something like a<br>
> USB mass storage device or a USB HID?<br>
<br>
Look for bugs found using "facedancer". Here is some kind of paper (only<br>
skimmed it)<br>
<br></blockquote><div><br></div><div>Yeah, I have one of the facedancer widgets, and wrote a Python USB fuzzer that used it to twiddle the PID - I had some uncertainty about what it was actually outputting, so I ran it through a Beagle USB 12 protocol analyzer -- which promptly freaked out and locked hard. I called that success and went to have a snack. :-)<span></span></div><div><br></div><div>W</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<a href="https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf" target="_blank">https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf</a><br>
<br>
I couldn't find any good writeups about bugs found with that tool now, but I<br>
remember there was a steady stream of reports a while back - both bugs in<br>
various OS kernels, but also things like the X server having an exploitable<br>
printf formatting bug where it would log the USB vendor name to it's log file<br>
IIRC.<br>
<br>
If we're not just talking about attacks on USB stacks, but on hosts, check out<br>
BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell that<br>
Peter mentioned a while back on this list. Good talk.<br>
<br>
<a href="https://www.youtube.com/watch?v=nuruzFqMgIw" target="_blank">BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell</a><br>
<br>
/Fredrik<br>
<br>
_______________________________________________<br>
Tech mailing list<br>
<a href="javascript:;" onclick="_e(event, 'cvml', 'Tech@cryptech.is')">Tech@cryptech.is</a><br>
<a href="https://lists.cryptech.is/listinfo/tech" target="_blank">https://lists.cryptech.is/listinfo/tech</a><br>
</blockquote><br><br>-- <br>I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf<br>